The Cisco Talos security team supports Ukrainian organisations in defending against cyber attacks. In the process, the researchers have come across a new malware campaign targeting government agencies, critical infrastructure operators and defence, security and law enforcement organisations in Ukraine. According to the security researchers, the pro-Russian hacker group Gamaredon is behind this campaign. Holger Unterbrink, Technical Leader of Cisco Talos in Germany, explains the background:
How do the current malware attacks work?
“The campaign has been active since August 2022 and focuses on data theft and espionage. To gain long-term access to victim systems, the threat actors use prepared phishing documents. These pretend to contain information relating to the Russian invasion of Ukraine. However, they actually hide remote templates with malicious macros. Their job is to place malware on victims’ computers to then exfiltrate targeted information.”
What makes this method of attack particularly dangerous?
“In this case, the actors use a specially crafted “information stealer”. This is a malware with a dual scope. On the one hand, it is able to steal the file types that are particularly interesting for the attacker. Secondly, it can be used to place additional targeted payloads on infected computers.”
Talos recognises the signature of the hacker group Gamaredon in this attack. Why?
“We see great similarities in the tactics, techniques, malware and infrastructure used with attacks uncovered by CERT-UA, Ukraine’s Computer Emergency Response Team, and attributed to Gamaredon.”
What do we know about Gamaredon?
“The group is a threat actor that has been active since at least 2013 and has been consistently linked to pro-Russian activity over the years. Gamaredon is extremely aggressive, but does not usually draw attention to itself with high-profile campaigns. In our estimation, however, the group is on par with some of the most prolific crimeware gangs. Interestingly, their approach is not what one would expect from an advanced hacking group. Such groups, called “APT”, focus on targeted, high-impact activities that leave extremely little trace and are therefore difficult to detect. Gamaredon is the exact opposite of this. The group uses common tactics from the world of crimeware and is extremely “loud” for a threat actor. Gamaredon also lacks the sophisticated techniques we see in some advanced operations. However, it has an extremely broad infrastructure and controls more than 600 domains that it deploys at various points along the infection timeline.”
How dangerous is the group for German companies?
“Due to the group’s specific approach, this question is difficult to answer. So far, we see no signs that the group directly profits from the information of its victims. We therefore do not rule out the possibility that it acts as a service provider on behalf of other APT actors. And another peculiarity: In contrast to the usual approach of APTs, Gamaredon does not target a specific victim group, but instead targets users all over the world. This group targets everyone from banks in Africa to educational institutions in the US. And at the latest here, companies and institutions in Germany should also be on their guard.”
Details of the Talos security researchers’ findings can be found in these blog posts:
https://blog.talosintelligence.com/2021/02/gamaredonactivities.html
https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html?m=1